Fluid Attacks Database

Description

Moby Race Condition vulnerability moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function resulting in resource leaks/exhaustion.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	docker.io	=20.10.10+dfsg1-1 \|\| =20.10.11+dfsg1-1 \|\| =20.10.11+dfsg1-2 \|\| =20.10.14+dfsg1-1 \|\| =20.10.17+dfsg1-1 \|\| =20.10.19+dfsg1-1 \|\| =20.10.21+dfsg1-1 \|\| =20.10.22+dfsg1-1 \|\| =20.10.22+dfsg1-2 \|\| =20.10.23+dfsg1-1 \|\| =20.10.24+dfsg1-1 \|\| =20.10.25+dfsg1-1 \|\| =20.10.25+dfsg1-2 \|\| =20.10.25+dfsg1-3 \|\| =20.10.25+dfsg1-4 \|\| =20.10.5+dfsg1-1 \|\| =20.10.5+dfsg1-1+deb11u1 \|\| =20.10.5+dfsg1-1+deb11u2 \|\| =20.10.5+dfsg1-1+deb11u3 \|\| =20.10.5+dfsg1-1+deb11u4 \|\| =20.10.8+dfsg1-1 \|\| =20.10.8+dfsg1-2 \|\| =26.1.4+dfsg1-1 \|\| =26.1.4+dfsg1-2 \|\| =26.1.4+dfsg1-3 \|\| =26.1.4+dfsg1-4 \|\| =26.1.4+dfsg1-5 \|\| =26.1.4+dfsg1-6 \|\| =26.1.4+dfsg1-7 \|\| =26.1.4+dfsg1-8 \|\| =26.1.4+dfsg1-9 \|\| =26.1.4+dfsg2-1 \|\| =26.1.4+dfsg3-1 \|\| =26.1.5+dfsg1-1 \|\| =26.1.5+dfsg1-10 \|\| =26.1.5+dfsg1-2 \|\| =26.1.5+dfsg1-3 \|\| =26.1.5+dfsg1-4 \|\| =26.1.5+dfsg1-5 \|\| =26.1.5+dfsg1-6 \|\| =26.1.5+dfsg1-7 \|\| =26.1.5+dfsg1-8 \|\| =26.1.5+dfsg1-9 \|\| =27.5.1+dfsg1-1 \|\| =27.5.1+dfsg1-2 \|\| =27.5.1+dfsg2-1 \|\| =27.5.1+dfsg3-1 \|\| =27.5.1+dfsg3-2 \|\| =27.5.1+dfsg3-3 \|\| =27.5.1+dfsg3-4 \|\| =27.5.1+dfsg3-5 \|\| =27.5.1+dfsg3-6 \|\| =27.5.1+dfsg4-1 \|\| =27.5.1+dfsg4-2 \|\| =28.5.2+dfsg1-1 \|\| =28.5.2+dfsg2-1 \|\| =28.5.2+dfsg3-1 \|\| =28.5.2+dfsg3-2 \|\| =28.5.2+dfsg4-1	-
debian 14	docker.io	>=0 <26.1.4+dfsg1-9	26.1.4+dfsg1-9
go	github.com/moby/moby	>=0 <26.0.0	26.0.0
debian 12	docker.io	=20.10.24+dfsg1-1 \|\| =20.10.24+dfsg1-1+deb12u1 \|\| =20.10.25+dfsg1-1 \|\| =20.10.25+dfsg1-2 \|\| =20.10.25+dfsg1-3 \|\| =20.10.25+dfsg1-4 \|\| =26.1.4+dfsg1-1 \|\| =26.1.4+dfsg1-2 \|\| =26.1.4+dfsg1-3 \|\| =26.1.4+dfsg1-4 \|\| =26.1.4+dfsg1-5 \|\| =26.1.4+dfsg1-6 \|\| =26.1.4+dfsg1-7 \|\| =26.1.4+dfsg1-8 \|\| =26.1.4+dfsg1-9 \|\| =26.1.4+dfsg2-1 \|\| =26.1.4+dfsg3-1 \|\| =26.1.5+dfsg1-1 \|\| =26.1.5+dfsg1-10 \|\| =26.1.5+dfsg1-2 \|\| =26.1.5+dfsg1-3 \|\| =26.1.5+dfsg1-4 \|\| =26.1.5+dfsg1-5 \|\| =26.1.5+dfsg1-6 \|\| =26.1.5+dfsg1-7 \|\| =26.1.5+dfsg1-8 \|\| =26.1.5+dfsg1-9 \|\| =27.5.1+dfsg1-1 \|\| =27.5.1+dfsg1-2 \|\| =27.5.1+dfsg2-1 \|\| =27.5.1+dfsg3-1 \|\| =27.5.1+dfsg3-2 \|\| =27.5.1+dfsg3-3 \|\| =27.5.1+dfsg3-4 \|\| =27.5.1+dfsg3-5 \|\| =27.5.1+dfsg3-6 \|\| =27.5.1+dfsg4-1 \|\| =27.5.1+dfsg4-2 \|\| =28.5.2+dfsg1-1 \|\| =28.5.2+dfsg2-1 \|\| =28.5.2+dfsg3-1 \|\| =28.5.2+dfsg3-2 \|\| =28.5.2+dfsg4-1	-
debian 13	docker.io	>=0 <26.1.4+dfsg1-9	26.1.4+dfsg1-9

Aliases

1. CVE-2024-366212. NVD-2024-366213. OSV-DEBIAN-2024-366214. OSV-2024-366215. GHSA-2mj3-vfvx-fc436. GCVE-2024-366217. SECURITY-TRACKER-CVE-2024-36621

References

1. https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e2. https://gist.github.com/1047524396/5d44459edab5fafcdf86b43909b811353. https://github.com/moby/moby/blob/v25.0.5/builder/builder-next/adapters/snapshot/layer.go#L24

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.